Malware Analysis Report

2024-12-07 14:35

Sample ID 241011-s5fdwszdqc
Target file01.vbs
SHA256 a7e0361d293c68159a7d48b5cfeef5804ba938df7e6e0dfbb1e6ca200bcfd037
Tags
defense_evasion discovery exploit persistence ransomware
score
9/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
9/10

SHA256

a7e0361d293c68159a7d48b5cfeef5804ba938df7e6e0dfbb1e6ca200bcfd037

Threat Level: Likely malicious

The file file01.vbs was found to be: Likely malicious.

Malicious Activity Summary

defense_evasion discovery exploit persistence ransomware

Renames multiple (15054) files with added filename extension

Renames multiple (24556) files with added filename extension

Drops file in Drivers directory

Possible privilege escalation attempt

Boot or Logon Autostart Execution: Print Processors

Indicator Removal: Clear Windows Event Logs

Modifies file permissions

Checks computer location settings

Drops file in System32 directory

Enumerates physical storage devices

Suspicious use of AdjustPrivilegeToken

Suspicious use of WriteProcessMemory

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-10-11 15:42

Signatures

N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-10-11 15:42

Reported

2024-10-11 15:44

Platform

win7-20240903-en

Max time kernel

121s

Max time network

121s

Command Line

"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\file01.vbs"

Signatures

Renames multiple (15054) files with added filename extension

ransomware

Drops file in Drivers directory

Description Indicator Process Target
File created C:\Windows\System32\drivers\battc.sys.bat C:\Windows\System32\WScript.exe N/A
File created C:\Windows\System32\drivers\fr-FR\portcls.sys.mui.bat C:\Windows\System32\WScript.exe N/A
File created C:\Windows\System32\drivers\ja-JP\cdrom.sys.mui.bat C:\Windows\System32\WScript.exe N/A
File created C:\Windows\System32\drivers\agilevpn.sys.bat C:\Windows\System32\WScript.exe N/A
File created C:\Windows\System32\drivers\dxg.sys.bat C:\Windows\System32\WScript.exe N/A
File created C:\Windows\System32\drivers\vdrvroot.sys.bat C:\Windows\System32\WScript.exe N/A
File created C:\Windows\System32\drivers\de-DE\ULIAGPKX.SYS.mui.bat C:\Windows\System32\WScript.exe N/A
File created C:\Windows\System32\drivers\en-US\cdrom.sys.mui.bat C:\Windows\System32\WScript.exe N/A
File created C:\Windows\System32\drivers\es-ES\GAGP30KX.SYS.mui.bat C:\Windows\System32\WScript.exe N/A
File created C:\Windows\System32\drivers\acpipmi.sys.bat C:\Windows\System32\WScript.exe N/A
File created C:\Windows\System32\drivers\BrFiltUp.sys.bat C:\Windows\System32\WScript.exe N/A
File created C:\Windows\System32\drivers\ipfltdrv.sys.bat C:\Windows\System32\WScript.exe N/A
File created C:\Windows\System32\drivers\stream.sys.bat C:\Windows\System32\WScript.exe N/A
File created C:\Windows\System32\drivers\en-US\ndis.sys.mui.bat C:\Windows\System32\WScript.exe N/A
File created C:\Windows\System32\drivers\usb8023.sys.bat C:\Windows\System32\WScript.exe N/A
File created C:\Windows\System32\drivers\de-DE\BrSerIb.sys.mui.bat C:\Windows\System32\WScript.exe N/A
File created C:\Windows\System32\drivers\de-DE\pscr.sys.mui.bat C:\Windows\System32\WScript.exe N/A
File created C:\Windows\System32\drivers\en-US\HdAudio.sys.mui.bat C:\Windows\System32\WScript.exe N/A
File created C:\Windows\System32\drivers\es-ES\isapnp.sys.mui.bat C:\Windows\System32\WScript.exe N/A
File created C:\Windows\System32\drivers\it-IT\AGP440.sys.mui.bat C:\Windows\System32\WScript.exe N/A
File created C:\Windows\System32\drivers\mpio.sys.bat C:\Windows\System32\WScript.exe N/A
File created C:\Windows\System32\drivers\de-DE\wdf01000.sys.mui.bat C:\Windows\System32\WScript.exe N/A
File created C:\Windows\System32\drivers\es-ES\tpm.sys.mui.bat C:\Windows\System32\WScript.exe N/A
File created C:\Windows\System32\drivers\es-ES\tsusbflt.sys.mui.bat C:\Windows\System32\WScript.exe N/A
File created C:\Windows\System32\drivers\ja-JP\acpi.sys.mui.bat C:\Windows\System32\WScript.exe N/A
File created C:\Windows\System32\drivers\de-DE\portcls.sys.mui.bat C:\Windows\System32\WScript.exe N/A
File created C:\Windows\System32\drivers\de-DE\RNDISMP.sys.mui.bat C:\Windows\System32\WScript.exe N/A
File created C:\Windows\System32\drivers\fr-FR\acpi.sys.mui.bat C:\Windows\System32\WScript.exe N/A
File created C:\Windows\System32\drivers\fr-FR\usbport.sys.mui.bat C:\Windows\System32\WScript.exe N/A
File created C:\Windows\System32\drivers\ja-JP\tpm.sys.mui.bat C:\Windows\System32\WScript.exe N/A
File created C:\Windows\System32\drivers\vwifibus.sys.bat C:\Windows\System32\WScript.exe N/A
File created C:\Windows\System32\drivers\en-US\ndiscap.sys.mui.bat C:\Windows\System32\WScript.exe N/A
File created C:\Windows\System32\drivers\es-ES\modem.sys.mui.bat C:\Windows\System32\WScript.exe N/A
File created C:\Windows\System32\drivers\es-ES\mountmgr.sys.mui.bat C:\Windows\System32\WScript.exe N/A
File created C:\Windows\System32\drivers\fr-FR\amdide.sys.mui.bat C:\Windows\System32\WScript.exe N/A
File created C:\Windows\System32\drivers\ja-JP\hidbth.sys.mui.bat C:\Windows\System32\WScript.exe N/A
File created C:\Windows\System32\drivers\ja-JP\ohci1394.sys.mui.bat C:\Windows\System32\WScript.exe N/A
File created C:\Windows\System32\drivers\en-US\rdvgkmd.sys.mui.bat C:\Windows\System32\WScript.exe N/A
File created C:\Windows\System32\drivers\fr-FR\parport.sys.mui.bat C:\Windows\System32\WScript.exe N/A
File created C:\Windows\System32\drivers\partmgr.sys.bat C:\Windows\System32\WScript.exe N/A
File created C:\Windows\System32\drivers\es-ES\pcmcia.sys.mui.bat C:\Windows\System32\WScript.exe N/A
File created C:\Windows\System32\drivers\it-IT\scsiport.sys.mui.bat C:\Windows\System32\WScript.exe N/A
File created C:\Windows\System32\drivers\ja-JP\mpio.sys.mui.bat C:\Windows\System32\WScript.exe N/A
File created C:\Windows\System32\drivers\HpSAMD.sys.bat C:\Windows\System32\WScript.exe N/A
File created C:\Windows\System32\drivers\msdsm.sys.bat C:\Windows\System32\WScript.exe N/A
File created C:\Windows\System32\drivers\serial.sys.bat C:\Windows\System32\WScript.exe N/A
File created C:\Windows\System32\drivers\de-DE\volsnap.sys.mui.bat C:\Windows\System32\WScript.exe N/A
File created C:\Windows\System32\drivers\ja-JP\sermouse.sys.mui.bat C:\Windows\System32\WScript.exe N/A
File created C:\Windows\System32\drivers\dmvsc.sys.bat C:\Windows\System32\WScript.exe N/A
File created C:\Windows\System32\drivers\en-US\serscan.sys.mui.bat C:\Windows\System32\WScript.exe N/A
File created C:\Windows\System32\drivers\etc\hosts.bat C:\Windows\System32\WScript.exe N/A
File created C:\Windows\System32\drivers\fr-FR\battc.sys.mui.bat C:\Windows\System32\WScript.exe N/A
File created C:\Windows\System32\drivers\fr-FR\fltmgr.sys.mui.bat C:\Windows\System32\WScript.exe N/A
File created C:\Windows\System32\drivers\it-IT\kbdhid.sys.mui.bat C:\Windows\System32\WScript.exe N/A
File created C:\Windows\System32\drivers\it-IT\srv.sys.mui.bat C:\Windows\System32\WScript.exe N/A
File created C:\Windows\System32\drivers\IPMIDrv.sys.bat C:\Windows\System32\WScript.exe N/A
File created C:\Windows\System32\drivers\ja-JP\disk.sys.mui.bat C:\Windows\System32\WScript.exe N/A
File created C:\Windows\System32\drivers\ja-JP\wdf01000.sys.mui.bat C:\Windows\System32\WScript.exe N/A
File created C:\Windows\System32\drivers\appid.sys.bat C:\Windows\System32\WScript.exe N/A
File created C:\Windows\System32\drivers\de-DE\intelppm.sys.mui.bat C:\Windows\System32\WScript.exe N/A
File created C:\Windows\System32\drivers\es-ES\vhdmp.sys.mui.bat C:\Windows\System32\WScript.exe N/A
File created C:\Windows\System32\drivers\ja-JP\amdppm.sys.mui.bat C:\Windows\System32\WScript.exe N/A
File created C:\Windows\System32\drivers\ja-JP\nwifi.sys.mui.bat C:\Windows\System32\WScript.exe N/A
File created C:\Windows\System32\drivers\bxvbda.sys.bat C:\Windows\System32\WScript.exe N/A

Possible privilege escalation attempt

exploit
Description Indicator Process Target
N/A N/A C:\Windows\system32\takeown.exe N/A
N/A N/A C:\Windows\system32\icacls.exe N/A

Boot or Logon Autostart Execution: Print Processors

persistence
Description Indicator Process Target
File created C:\Windows\System32\spool\prtprocs\x64\jnwppr.dll.bat C:\Windows\System32\WScript.exe N/A
File created C:\Windows\System32\spool\prtprocs\x64\winprint.dll.bat C:\Windows\System32\WScript.exe N/A
File created C:\Windows\System32\spool\prtprocs\x64\de-DE\LXKPTPRC.DLL.mui.bat C:\Windows\System32\WScript.exe N/A
File created C:\Windows\System32\spool\prtprocs\x64\en-US\LXKPTPRC.DLL.mui.bat C:\Windows\System32\WScript.exe N/A
File created C:\Windows\System32\spool\prtprocs\x64\es-ES\LXKPTPRC.DLL.mui.bat C:\Windows\System32\WScript.exe N/A
File created C:\Windows\System32\spool\prtprocs\x64\fr-FR\LXKPTPRC.DLL.mui.bat C:\Windows\System32\WScript.exe N/A
File created C:\Windows\System32\spool\prtprocs\x64\it-IT\LXKPTPRC.DLL.mui.bat C:\Windows\System32\WScript.exe N/A
File created C:\Windows\System32\spool\prtprocs\x64\ja-JP\LXKPTPRC.DLL.mui.bat C:\Windows\System32\WScript.exe N/A

Indicator Removal: Clear Windows Event Logs

defense_evasion
Description Indicator Process Target
File created C:\Windows\System32\winevt\Logs\Microsoft-Windows-NetworkProfile%4Operational.evtx.bat C:\Windows\System32\WScript.exe N/A
File created C:\Windows\System32\winevt\Logs\Microsoft-Windows-Windows Defender%4WHC.evtx.bat C:\Windows\System32\WScript.exe N/A
File created C:\Windows\System32\winevt\Logs\Windows PowerShell.evtx.bat C:\Windows\System32\WScript.exe N/A
File created C:\Windows\System32\winevt\Logs\HardwareEvents.evtx.bat C:\Windows\System32\WScript.exe N/A
File created C:\Windows\System32\winevt\Logs\Microsoft-Windows-BranchCacheSMB%4Operational.evtx.bat C:\Windows\System32\WScript.exe N/A
File created C:\Windows\System32\winevt\Logs\Microsoft-Windows-NCSI%4Operational.evtx.bat C:\Windows\System32\WScript.exe N/A
File created C:\Windows\System32\winevt\Logs\Key Management Service.evtx.bat C:\Windows\System32\WScript.exe N/A
File created C:\Windows\System32\winevt\Logs\Microsoft-Windows-PrintService%4Admin.evtx.bat C:\Windows\System32\WScript.exe N/A
File created C:\Windows\System32\winevt\Logs\Microsoft-Windows-WindowsUpdateClient%4Operational.evtx.bat C:\Windows\System32\WScript.exe N/A
File created C:\Windows\System32\winevt\Logs\Media Center.evtx.bat C:\Windows\System32\WScript.exe N/A
File created C:\Windows\System32\winevt\Logs\Microsoft-Windows-Application Server-Applications%4Admin.evtx.bat C:\Windows\System32\WScript.exe N/A
File created C:\Windows\System32\winevt\Logs\Microsoft-Windows-Kernel-WHEA%4Operational.evtx.bat C:\Windows\System32\WScript.exe N/A
File created C:\Windows\System32\winevt\Logs\Microsoft-Windows-Bits-Client%4Operational.evtx.bat C:\Windows\System32\WScript.exe N/A
File created C:\Windows\System32\winevt\Logs\Microsoft-Windows-LanguagePackSetup%4Operational.evtx.bat C:\Windows\System32\WScript.exe N/A
File created C:\Windows\System32\winevt\Logs\OAlerts.evtx.bat C:\Windows\System32\WScript.exe N/A
File created C:\Windows\System32\winevt\Logs\Microsoft-Windows-MUI%4Admin.evtx.bat C:\Windows\System32\WScript.exe N/A
File created C:\Windows\System32\winevt\Logs\Internet Explorer.evtx.bat C:\Windows\System32\WScript.exe N/A
File created C:\Windows\System32\winevt\Logs\Microsoft-Windows-Application-Experience%4Program-Inventory.evtx.bat C:\Windows\System32\WScript.exe N/A
File created C:\Windows\System32\winevt\Logs\Microsoft-Windows-Kernel-WHEA%4Errors.evtx.bat C:\Windows\System32\WScript.exe N/A
File created C:\Windows\System32\winevt\Logs\Microsoft-Windows-Kernel-StoreMgr%4Operational.evtx.bat C:\Windows\System32\WScript.exe N/A
File created C:\Windows\System32\winevt\Logs\Microsoft-Windows-Resource-Exhaustion-Detector%4Operational.evtx.bat C:\Windows\System32\WScript.exe N/A
File created C:\Windows\System32\winevt\Logs\Microsoft-Windows-Application-Experience%4Program-Compatibility-Assistant.evtx.bat C:\Windows\System32\WScript.exe N/A
File created C:\Windows\System32\winevt\Logs\Microsoft-Windows-TerminalServices-LocalSessionManager%4Operational.evtx.bat C:\Windows\System32\WScript.exe N/A
File created C:\Windows\System32\winevt\Logs\Microsoft-Windows-WindowsSystemAssessmentTool%4Operational.evtx.bat C:\Windows\System32\WScript.exe N/A
File created C:\Windows\System32\winevt\Logs\Microsoft-Windows-Windows Firewall With Advanced Security%4ConnectionSecurity.evtx.bat C:\Windows\System32\WScript.exe N/A
File created C:\Windows\System32\winevt\Logs\Microsoft-Windows-Dhcp-Client%4Admin.evtx.bat C:\Windows\System32\WScript.exe N/A
File created C:\Windows\System32\winevt\Logs\Microsoft-Windows-Help%4Operational.evtx.bat C:\Windows\System32\WScript.exe N/A
File created C:\Windows\System32\winevt\Logs\Microsoft-Windows-Diagnosis-Scheduled%4Operational.evtx.bat C:\Windows\System32\WScript.exe N/A
File created C:\Windows\System32\winevt\Logs\Microsoft-Windows-RestartManager%4Operational.evtx.bat C:\Windows\System32\WScript.exe N/A
File created C:\Windows\System32\winevt\Logs\Microsoft-Windows-User Profile Service%4Operational.evtx.bat C:\Windows\System32\WScript.exe N/A
File created C:\Windows\System32\winevt\Logs\Microsoft-Windows-Application Server-Applications%4Operational.evtx.bat C:\Windows\System32\WScript.exe N/A
File created C:\Windows\System32\winevt\Logs\Microsoft-Windows-MUI%4Operational.evtx.bat C:\Windows\System32\WScript.exe N/A
File created C:\Windows\System32\winevt\Logs\Security.evtx.bat C:\Windows\System32\WScript.exe N/A
File created C:\Windows\System32\winevt\Logs\Microsoft-Windows-Kernel-Power%4Thermal-Operational.evtx.bat C:\Windows\System32\WScript.exe N/A
File created C:\Windows\System32\winevt\Logs\Setup.evtx.bat C:\Windows\System32\WScript.exe N/A
File created C:\Windows\System32\winevt\Logs\Application.evtx.bat C:\Windows\System32\WScript.exe N/A
File created C:\Windows\System32\winevt\Logs\Microsoft-Windows-NetworkAccessProtection%4WHC.evtx.bat C:\Windows\System32\WScript.exe N/A
File created C:\Windows\System32\winevt\Logs\System.evtx.bat C:\Windows\System32\WScript.exe N/A
File created C:\Windows\System32\winevt\Logs\Microsoft-Windows-NetworkAccessProtection%4Operational.evtx.bat C:\Windows\System32\WScript.exe N/A
File created C:\Windows\System32\winevt\Logs\Microsoft-Windows-Application-Experience%4Program-Telemetry.evtx.bat C:\Windows\System32\WScript.exe N/A
File created C:\Windows\System32\winevt\Logs\Microsoft-Windows-CAPI2%4Operational.evtx.bat C:\Windows\System32\WScript.exe N/A
File created C:\Windows\System32\winevt\Logs\Microsoft-Windows-GroupPolicy%4Operational.evtx.bat C:\Windows\System32\WScript.exe N/A
File created C:\Windows\System32\winevt\Logs\Microsoft-Windows-Dhcpv6-Client%4Admin.evtx.bat C:\Windows\System32\WScript.exe N/A
File created C:\Windows\System32\winevt\Logs\Microsoft-Windows-Diagnosis-DPS%4Operational.evtx.bat C:\Windows\System32\WScript.exe N/A
File created C:\Windows\System32\winevt\Logs\Microsoft-Windows-WindowsBackup%4ActionCenter.evtx.bat C:\Windows\System32\WScript.exe N/A
File created C:\Windows\System32\winevt\Logs\Microsoft-Windows-International%4Operational.evtx.bat C:\Windows\System32\WScript.exe N/A
File created C:\Windows\System32\winevt\Logs\Microsoft-Windows-Kernel-EventTracing%4Admin.evtx.bat C:\Windows\System32\WScript.exe N/A
File created C:\Windows\System32\winevt\Logs\Microsoft-Windows-OfflineFiles%4Operational.evtx.bat C:\Windows\System32\WScript.exe N/A
File created C:\Windows\System32\winevt\Logs\Microsoft-Windows-Application-Experience%4Program-Compatibility-Troubleshooter.evtx.bat C:\Windows\System32\WScript.exe N/A
File created C:\Windows\System32\winevt\Logs\Microsoft-Windows-CodeIntegrity%4Operational.evtx.bat C:\Windows\System32\WScript.exe N/A
File created C:\Windows\System32\winevt\Logs\Microsoft-Windows-TerminalServices-LocalSessionManager%4Admin.evtx.bat C:\Windows\System32\WScript.exe N/A
File created C:\Windows\System32\winevt\Logs\Microsoft-Windows-Windows Defender%4Operational.evtx.bat C:\Windows\System32\WScript.exe N/A
File created C:\Windows\System32\winevt\Logs\Microsoft-Windows-Winlogon%4Operational.evtx.bat C:\Windows\System32\WScript.exe N/A
File created C:\Windows\System32\winevt\Logs\Microsoft-Windows-Known Folders API Service.evtx.bat C:\Windows\System32\WScript.exe N/A
File created C:\Windows\System32\winevt\Logs\Microsoft-Windows-Application-Experience%4Problem-Steps-Recorder.evtx.bat C:\Windows\System32\WScript.exe N/A
File created C:\Windows\System32\winevt\Logs\Microsoft-Windows-Windows Firewall With Advanced Security%4Firewall.evtx.bat C:\Windows\System32\WScript.exe N/A

Modifies file permissions

discovery
Description Indicator Process Target
N/A N/A C:\Windows\system32\icacls.exe N/A
N/A N/A C:\Windows\system32\takeown.exe N/A

Drops file in System32 directory

Description Indicator Process Target
File created C:\Windows\System32\es-ES\efssvc.dll.mui.bat C:\Windows\System32\WScript.exe N/A
File created C:\Windows\System32\wbem\interop.mof.bat C:\Windows\System32\WScript.exe N/A
File created C:\Windows\System32\DriverStore\FileRepository\prnep00l.inf_amd64_neutral_f1fa021d2221e2c7\Amd64\EP0LVRA0.DLL.bat C:\Windows\System32\WScript.exe N/A
File created C:\Windows\System32\en-US\dsprop.dll.mui.bat C:\Windows\System32\WScript.exe N/A
File created C:\Windows\System32\en-US\localspl.dll.mui.bat C:\Windows\System32\WScript.exe N/A
File created C:\Windows\System32\DriverStore\FileRepository\prnhp002.inf_amd64_neutral_04d05d1f6a90ea24\Amd64\HPOJ6200.CFG.bat C:\Windows\System32\WScript.exe N/A
File created C:\Windows\System32\DriverStore\FileRepository\wnetvsc.inf_amd64_neutral_548addf09cb466fa\netvsc60.sys.bat C:\Windows\System32\WScript.exe N/A
File created C:\Windows\System32\DriverStore\it-IT\usb.inf_loc.bat C:\Windows\System32\WScript.exe N/A
File created C:\Windows\System32\fr-FR\dot3gpclnt.dll.mui.bat C:\Windows\System32\WScript.exe N/A
File created C:\Windows\System32\it-IT\localui.dll.mui.bat C:\Windows\System32\WScript.exe N/A
File created C:\Windows\System32\iscsiexe.dll.bat C:\Windows\System32\WScript.exe N/A
File created C:\Windows\System32\mimefilt.dll.bat C:\Windows\System32\WScript.exe N/A
File created C:\Windows\System32\catroot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Win8IP-Microsoft-Windows-Graphics-Package~31bf3856ad364e35~amd64~en-US~7.1.7601.16492.cat.bat C:\Windows\System32\WScript.exe N/A
File created C:\Windows\System32\oobe\it-IT\privacy.rtf.bat C:\Windows\System32\WScript.exe N/A
File created C:\Windows\System32\spool\drivers\x64\3\en-US\PSCRIPT5.DLL.mui.bat C:\Windows\System32\WScript.exe N/A
File created C:\Windows\System32\catroot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Win8IP-Microsoft-Windows-DownlevelApisets-Windows-WinIP-Package~31bf3856ad364e35~amd64~el-GR~7.1.7601.16492.cat.bat C:\Windows\System32\WScript.exe N/A
File created C:\Windows\System32\DriverStore\FileRepository\prnky006.inf_amd64_neutral_522043c34551b0c0\Amd64\KYEP510D.PPD.bat C:\Windows\System32\WScript.exe N/A
File created C:\Windows\System32\DriverStore\FileRepository\prnsa002.inf_amd64_neutral_d9df1d04d8cbe336\Amd64\sml405.gpd.bat C:\Windows\System32\WScript.exe N/A
File created C:\Windows\System32\en-US\hpowiav1.dll.mui.bat C:\Windows\System32\WScript.exe N/A
File created C:\Windows\System32\ja-JP\fveprompt.exe.mui.bat C:\Windows\System32\WScript.exe N/A
File created C:\Windows\System32\ja-JP\objsel.dll.mui.bat C:\Windows\System32\WScript.exe N/A
File created C:\Windows\System32\NlsData004b.dll.bat C:\Windows\System32\WScript.exe N/A
File created C:\Windows\System32\DriverStore\FileRepository\dot4prt.inf_amd64_neutral_e7d3f62d0d4411db\Dot4Prt.sys.bat C:\Windows\System32\WScript.exe N/A
File created C:\Windows\System32\DriverStore\FileRepository\netr28ux.inf_amd64_neutral_54f2470c084714e1\netr28ux.inf.bat C:\Windows\System32\WScript.exe N/A
File created C:\Windows\System32\DriverStore\FileRepository\prnep003.inf_amd64_neutral_92ed2d842e0dd4ea\PRNEP003.CAT.bat C:\Windows\System32\WScript.exe N/A
File created C:\Windows\System32\DriverStore\FileRepository\prnky308.inf_amd64_ja-jp_d90af802b607044a\Amd64\KYPS51DN.GDL.bat C:\Windows\System32\WScript.exe N/A
File created C:\Windows\System32\it-IT\uxtheme.dll.mui.bat C:\Windows\System32\WScript.exe N/A
File created C:\Windows\System32\ja-JP\BioCredProv.dll.mui.bat C:\Windows\System32\WScript.exe N/A
File created C:\Windows\System32\ja-JP\wlancfg.dll.mui.bat C:\Windows\System32\WScript.exe N/A
File created C:\Windows\System32\KBDGR.DLL.bat C:\Windows\System32\WScript.exe N/A
File created C:\Windows\System32\wlanhlp.dll.bat C:\Windows\System32\WScript.exe N/A
File created C:\Windows\System32\de-DE\wvc.dll.mui.bat C:\Windows\System32\WScript.exe N/A
File created C:\Windows\System32\spool\drivers\x64\3\es-ES\CNBBR311.DLL.mui.bat C:\Windows\System32\WScript.exe N/A
File created C:\Windows\System32\wbem\ja-JP\win32_tpm.dll.mui.bat C:\Windows\System32\WScript.exe N/A
File created C:\Windows\System32\WindowsPowerShell\v1.0\de-DE\about_Continue.help.txt.bat C:\Windows\System32\WScript.exe N/A
File created C:\Windows\System32\es-ES\route.exe.mui.bat C:\Windows\System32\WScript.exe N/A
File created C:\Windows\System32\fr-FR\raschap.dll.mui.bat C:\Windows\System32\WScript.exe N/A
File created C:\Windows\System32\fr-FR\uicom.dll.mui.bat C:\Windows\System32\WScript.exe N/A
File created C:\Windows\System32\it-IT\dsprop.dll.mui.bat C:\Windows\System32\WScript.exe N/A
File created C:\Windows\System32\it-IT\montr_ci.dll.mui.bat C:\Windows\System32\WScript.exe N/A
File created C:\Windows\System32\catroot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-MediaPlayback-OC-Package~31bf3856ad364e35~amd64~it-IT~6.1.7601.17514.cat.bat C:\Windows\System32\WScript.exe N/A
File created C:\Windows\System32\DriverStore\FileRepository\prnhp003.inf_amd64_neutral_4480210763997eb4\Amd64\hpc3100t.xml.bat C:\Windows\System32\WScript.exe N/A
File created C:\Windows\System32\DriverStore\FileRepository\prnhp003.inf_amd64_neutral_4480210763997eb4\Amd64\hpd7300t.gpd.bat C:\Windows\System32\WScript.exe N/A
File created C:\Windows\System32\en-US\mimefilt.dll.mui.bat C:\Windows\System32\WScript.exe N/A
File created C:\Windows\System32\spool\drivers\x64\3\ja-JP\HPFIME50.DLL.mui.bat C:\Windows\System32\WScript.exe N/A
File created C:\Windows\System32\WindowsPowerShell\v1.0\de-DE\about_Throw.help.txt.bat C:\Windows\System32\WScript.exe N/A
File created C:\Windows\System32\de-DE\ESENT.dll.mui.bat C:\Windows\System32\WScript.exe N/A
File created C:\Windows\System32\DriverStore\it-IT\ndisuio.inf_loc.bat C:\Windows\System32\WScript.exe N/A
File created C:\Windows\System32\en-US\ipsecsnp.dll.mui.bat C:\Windows\System32\WScript.exe N/A
File created C:\Windows\System32\es-ES\drt.dll.mui.bat C:\Windows\System32\WScript.exe N/A
File created C:\Windows\System32\ja-JP\fdrespub.dll.mui.bat C:\Windows\System32\WScript.exe N/A
File created C:\Windows\System32\de-DE\SmiEngine.dll.mui.bat C:\Windows\System32\WScript.exe N/A
File created C:\Windows\System32\DriverStore\ja-JP\netvwififlt.inf_loc.bat C:\Windows\System32\WScript.exe N/A
File created C:\Windows\System32\en-US\verifier.exe.mui.bat C:\Windows\System32\WScript.exe N/A
File created C:\Windows\System32\SmartcardCredentialProvider.dll.bat C:\Windows\System32\WScript.exe N/A
File created C:\Windows\System32\spool\drivers\x64\3\es-ES\hp8500nt.dll.mui.bat C:\Windows\System32\WScript.exe N/A
File created C:\Windows\System32\DriverStore\FileRepository\prnep00c.inf_amd64_neutral_f0d9ddf52f04765c\Amd64\EP0NGJ7E.GPD.bat C:\Windows\System32\WScript.exe N/A
File created C:\Windows\System32\DriverStore\it-IT\prnsa002.inf_loc.bat C:\Windows\System32\WScript.exe N/A
File created C:\Windows\System32\es-ES\DfrgUI.exe.mui.bat C:\Windows\System32\WScript.exe N/A
File created C:\Windows\System32\it-IT\Netplwiz.exe.mui.bat C:\Windows\System32\WScript.exe N/A
File created C:\Windows\System32\ja-JP\NetworkMap.dll.mui.bat C:\Windows\System32\WScript.exe N/A
File created C:\Windows\System32\capiprovider.dll.bat C:\Windows\System32\WScript.exe N/A
File created C:\Windows\System32\de-DE\Licenses\_Default\ProfessionalE\license.rtf.bat C:\Windows\System32\WScript.exe N/A
File created C:\Windows\System32\DriverStore\FileRepository\prnbr007.inf_amd64_neutral_add2acf1d573aef0\Amd64\BRD9040N.GPD.bat C:\Windows\System32\WScript.exe N/A

Enumerates physical storage devices

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeTakeOwnershipPrivilege N/A C:\Windows\system32\takeown.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 268 wrote to memory of 2224 N/A C:\Windows\System32\WScript.exe C:\Windows\System32\cmd.exe
PID 268 wrote to memory of 2224 N/A C:\Windows\System32\WScript.exe C:\Windows\System32\cmd.exe
PID 268 wrote to memory of 2224 N/A C:\Windows\System32\WScript.exe C:\Windows\System32\cmd.exe
PID 2224 wrote to memory of 2488 N/A C:\Windows\System32\cmd.exe C:\Windows\system32\takeown.exe
PID 2224 wrote to memory of 2488 N/A C:\Windows\System32\cmd.exe C:\Windows\system32\takeown.exe
PID 2224 wrote to memory of 2488 N/A C:\Windows\System32\cmd.exe C:\Windows\system32\takeown.exe
PID 2224 wrote to memory of 2696 N/A C:\Windows\System32\cmd.exe C:\Windows\system32\icacls.exe
PID 2224 wrote to memory of 2696 N/A C:\Windows\System32\cmd.exe C:\Windows\system32\icacls.exe
PID 2224 wrote to memory of 2696 N/A C:\Windows\System32\cmd.exe C:\Windows\system32\icacls.exe

Processes

C:\Windows\System32\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\file01.vbs"

C:\Windows\System32\cmd.exe

"C:\Windows\System32\cmd.exe" /c takeown /f C:\Windows\System32\* && icacls C:\Windows\System32\* /grant everyone:(F)

C:\Windows\system32\takeown.exe

takeown /f C:\Windows\System32\*

C:\Windows\system32\icacls.exe

icacls C:\Windows\System32\* /grant everyone:(F)

Network

N/A

Files

C:\Users\Admin\AppData\Local\Temp\whysoserious.bat

MD5 3dfc9ee09967df4e049864cf81d9588b
SHA1 bd5840c3cec86b04f8e8dbc0ddf5eb1754d346ce
SHA256 81544f6c725f842b68f7bcbeb26525f701293d3d2281dd64dcad1e9d2dfc398d
SHA512 d55ed377a577bd9ecc3af2753716f8e145da79207e3435bccdbd377ffdeda6ac691f93ebcf3158c1450aaca429dda8f91bc6e4d2e608cec562dd7fe9cfb76708

Analysis: behavioral2

Detonation Overview

Submitted

2024-10-11 15:42

Reported

2024-10-11 15:44

Platform

win10v2004-20241007-en

Max time kernel

99s

Max time network

124s

Command Line

"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\file01.vbs"

Signatures

Renames multiple (24556) files with added filename extension

ransomware

Drops file in Drivers directory

Description Indicator Process Target
File created C:\Windows\System32\drivers\UMDF\ja-JP\SensorsHid.dll.mui.bat C:\Windows\System32\WScript.exe N/A
File created C:\Windows\System32\drivers\percsas3i.sys.bat C:\Windows\System32\WScript.exe N/A
File created C:\Windows\System32\drivers\USBAUDIO.sys.bat C:\Windows\System32\WScript.exe N/A
File created C:\Windows\System32\drivers\de-DE\pci.sys.mui.bat C:\Windows\System32\WScript.exe N/A
File created C:\Windows\System32\drivers\fr-FR\hidbth.sys.mui.bat C:\Windows\System32\WScript.exe N/A
File created C:\Windows\System32\drivers\it-IT\bthenum.sys.mui.bat C:\Windows\System32\WScript.exe N/A
File created C:\Windows\System32\drivers\UMDF\en-US\wpdmtpdr.dll.mui.bat C:\Windows\System32\WScript.exe N/A
File created C:\Windows\System32\drivers\es-ES\srv2.sys.mui.bat C:\Windows\System32\WScript.exe N/A
File created C:\Windows\System32\drivers\fr-FR\rdvgkmd.sys.mui.bat C:\Windows\System32\WScript.exe N/A
File created C:\Windows\System32\drivers\mlx4_bus.sys.bat C:\Windows\System32\WScript.exe N/A
File created C:\Windows\System32\drivers\de-DE\usbhub.sys.mui.bat C:\Windows\System32\WScript.exe N/A
File created C:\Windows\System32\drivers\it-IT\sdstor.sys.mui.bat C:\Windows\System32\WScript.exe N/A
File created C:\Windows\System32\drivers\ja-JP\modem.sys.mui.bat C:\Windows\System32\WScript.exe N/A
File created C:\Windows\System32\drivers\it-IT\i8042prt.sys.mui.bat C:\Windows\System32\WScript.exe N/A
File created C:\Windows\System32\drivers\it-IT\sdbus.sys.mui.bat C:\Windows\System32\WScript.exe N/A
File created C:\Windows\System32\drivers\cmimcext.sys.bat C:\Windows\System32\WScript.exe N/A
File created C:\Windows\System32\drivers\ipt.sys.bat C:\Windows\System32\WScript.exe N/A
File created C:\Windows\System32\drivers\mpsdrv.sys.bat C:\Windows\System32\WScript.exe N/A
File created C:\Windows\System32\drivers\de-DE\rdvgkmd.sys.mui.bat C:\Windows\System32\WScript.exe N/A
File created C:\Windows\System32\drivers\en-US\mup.sys.mui.bat C:\Windows\System32\WScript.exe N/A
File created C:\Windows\System32\drivers\fr-FR\tsusbflt.sys.mui.bat C:\Windows\System32\WScript.exe N/A
File created C:\Windows\System32\drivers\ja-JP\volsnap.sys.mui.bat C:\Windows\System32\WScript.exe N/A
File created C:\Windows\System32\drivers\UMDF\es-ES\mgtdyn.dll.mui.bat C:\Windows\System32\WScript.exe N/A
File created C:\Windows\System32\drivers\UMDF\es-ES\SensorsCx.dll.mui.bat C:\Windows\System32\WScript.exe N/A
File created C:\Windows\System32\drivers\MegaSas2i.sys.bat C:\Windows\System32\WScript.exe N/A
File created C:\Windows\System32\drivers\rasacd.sys.bat C:\Windows\System32\WScript.exe N/A
File created C:\Windows\System32\drivers\rdbss.sys.bat C:\Windows\System32\WScript.exe N/A
File created C:\Windows\System32\drivers\usbehci.sys.bat C:\Windows\System32\WScript.exe N/A
File created C:\Windows\System32\drivers\vwifibus.sys.bat C:\Windows\System32\WScript.exe N/A
File created C:\Windows\System32\drivers\it-IT\PktMon.sys.mui.bat C:\Windows\System32\WScript.exe N/A
File created C:\Windows\System32\drivers\kdnic.sys.bat C:\Windows\System32\WScript.exe N/A
File created C:\Windows\System32\drivers\msquic.sys.bat C:\Windows\System32\WScript.exe N/A
File created C:\Windows\System32\drivers\SerCx.sys.bat C:\Windows\System32\WScript.exe N/A
File created C:\Windows\System32\drivers\storvsc.sys.bat C:\Windows\System32\WScript.exe N/A
File created C:\Windows\System32\drivers\de-DE\synth3dvsc.sys.mui.bat C:\Windows\System32\WScript.exe N/A
File created C:\Windows\System32\drivers\en-US\USBHUB3.SYS.mui.bat C:\Windows\System32\WScript.exe N/A
File created C:\Windows\System32\drivers\ja-JP\tsusbflt.sys.mui.bat C:\Windows\System32\WScript.exe N/A
File created C:\Windows\System32\drivers\dxgmms2.sys.bat C:\Windows\System32\WScript.exe N/A
File created C:\Windows\System32\drivers\de-DE\kbdhid.sys.mui.bat C:\Windows\System32\WScript.exe N/A
File created C:\Windows\System32\drivers\de-DE\wacompen.sys.mui.bat C:\Windows\System32\WScript.exe N/A
File created C:\Windows\System32\drivers\ja-JP\tunnel.sys.mui.bat C:\Windows\System32\WScript.exe N/A
File created C:\Windows\System32\drivers\filetrace.sys.bat C:\Windows\System32\WScript.exe N/A
File created C:\Windows\System32\drivers\hidclass.sys.bat C:\Windows\System32\WScript.exe N/A
File created C:\Windows\System32\drivers\pnpmem.sys.bat C:\Windows\System32\WScript.exe N/A
File created C:\Windows\System32\drivers\ja-JP\IndirectKmd.sys.mui.bat C:\Windows\System32\WScript.exe N/A
File created C:\Windows\System32\drivers\ja-JP\iorate.sys.mui.bat C:\Windows\System32\WScript.exe N/A
File created C:\Windows\System32\drivers\fs_rec.sys.bat C:\Windows\System32\WScript.exe N/A
File created C:\Windows\System32\drivers\de-DE\wof.sys.mui.bat C:\Windows\System32\WScript.exe N/A
File created C:\Windows\System32\drivers\en-US\mrxsmb.sys.mui.bat C:\Windows\System32\WScript.exe N/A
File created C:\Windows\System32\drivers\en-US\nwifi.sys.mui.bat C:\Windows\System32\WScript.exe N/A
File created C:\Windows\System32\drivers\it-IT\winnat.sys.mui.bat C:\Windows\System32\WScript.exe N/A
File created C:\Windows\System32\drivers\ja-JP\fltmgr.sys.mui.bat C:\Windows\System32\WScript.exe N/A
File created C:\Windows\System32\drivers\msiscsi.sys.bat C:\Windows\System32\WScript.exe N/A
File created C:\Windows\System32\drivers\de-DE\pcmcia.sys.mui.bat C:\Windows\System32\WScript.exe N/A
File created C:\Windows\System32\drivers\it-IT\scfilter.sys.mui.bat C:\Windows\System32\WScript.exe N/A
File created C:\Windows\System32\drivers\it-IT\usbstor.sys.mui.bat C:\Windows\System32\WScript.exe N/A
File created C:\Windows\System32\drivers\ja-JP\kbdhid.sys.mui.bat C:\Windows\System32\WScript.exe N/A
File created C:\Windows\System32\drivers\ja-JP\rfxvmt.sys.mui.bat C:\Windows\System32\WScript.exe N/A
File created C:\Windows\System32\drivers\disk.sys.bat C:\Windows\System32\WScript.exe N/A
File created C:\Windows\System32\drivers\hwpolicy.sys.bat C:\Windows\System32\WScript.exe N/A
File created C:\Windows\System32\drivers\de-DE\ataport.sys.mui.bat C:\Windows\System32\WScript.exe N/A
File created C:\Windows\System32\drivers\fr-FR\luafv.sys.mui.bat C:\Windows\System32\WScript.exe N/A
File created C:\Windows\System32\drivers\fr-FR\PktMon.sys.mui.bat C:\Windows\System32\WScript.exe N/A
File created C:\Windows\System32\drivers\it-IT\modem.sys.mui.bat C:\Windows\System32\WScript.exe N/A

Possible privilege escalation attempt

exploit
Description Indicator Process Target
N/A N/A C:\Windows\system32\takeown.exe N/A
N/A N/A C:\Windows\system32\icacls.exe N/A

Boot or Logon Autostart Execution: Print Processors

persistence
Description Indicator Process Target
File created C:\Windows\System32\spool\prtprocs\x64\winprint.dll.bat C:\Windows\System32\WScript.exe N/A

Checks computer location settings

Description Indicator Process Target
Key value queried \REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000\Control Panel\International\Geo\Nation C:\Windows\System32\WScript.exe N/A

Indicator Removal: Clear Windows Event Logs

defense_evasion
Description Indicator Process Target
File created C:\Windows\System32\winevt\Logs\Microsoft-Windows-BitLocker%4BitLocker Management.evtx.bat C:\Windows\System32\WScript.exe N/A
File created C:\Windows\System32\winevt\Logs\Microsoft-Windows-Crypto-NCrypt%4Operational.evtx.bat C:\Windows\System32\WScript.exe N/A
File created C:\Windows\System32\winevt\Logs\Microsoft-Windows-Dhcpv6-Client%4Admin.evtx.bat C:\Windows\System32\WScript.exe N/A
File created C:\Windows\System32\winevt\Logs\Microsoft-Windows-Kernel-StoreMgr%4Operational.evtx.bat C:\Windows\System32\WScript.exe N/A
File created C:\Windows\System32\winevt\Logs\Microsoft-Windows-ReadyBoost%4Operational.evtx.bat C:\Windows\System32\WScript.exe N/A
File created C:\Windows\System32\winevt\Logs\Microsoft-Windows-TerminalServices-LocalSessionManager%4Admin.evtx.bat C:\Windows\System32\WScript.exe N/A
File created C:\Windows\System32\winevt\Logs\Microsoft-Windows-CodeIntegrity%4Operational.evtx.bat C:\Windows\System32\WScript.exe N/A
File created C:\Windows\System32\winevt\Logs\Microsoft-Windows-CoreSystem-SmsRouter-Events%4Operational.evtx.bat C:\Windows\System32\WScript.exe N/A
File created C:\Windows\System32\winevt\Logs\Microsoft-Windows-Dhcp-Client%4Admin.evtx.bat C:\Windows\System32\WScript.exe N/A
File created C:\Windows\System32\winevt\Logs\Microsoft-Windows-Time-Service%4Operational.evtx.bat C:\Windows\System32\WScript.exe N/A
File created C:\Windows\System32\winevt\Logs\Microsoft-Windows-Windows Firewall With Advanced Security%4Firewall.evtx.bat C:\Windows\System32\WScript.exe N/A
File created C:\Windows\System32\winevt\Logs\Application.evtx.bat C:\Windows\System32\WScript.exe N/A
File created C:\Windows\System32\winevt\Logs\Microsoft-Windows-Audio%4CaptureMonitor.evtx.bat C:\Windows\System32\WScript.exe N/A
File created C:\Windows\System32\winevt\Logs\Microsoft-Windows-PushNotification-Platform%4Admin.evtx.bat C:\Windows\System32\WScript.exe N/A
File created C:\Windows\System32\winevt\Logs\Internet Explorer.evtx.bat C:\Windows\System32\WScript.exe N/A
File created C:\Windows\System32\winevt\Logs\Microsoft-Windows-Containers-BindFlt%4Operational.evtx.bat C:\Windows\System32\WScript.exe N/A
File created C:\Windows\System32\winevt\Logs\Microsoft-Windows-DeviceManagement-Enterprise-Diagnostics-Provider%4Admin.evtx.bat C:\Windows\System32\WScript.exe N/A
File created C:\Windows\System32\winevt\Logs\Microsoft-Windows-GroupPolicy%4Operational.evtx.bat C:\Windows\System32\WScript.exe N/A
File created C:\Windows\System32\winevt\Logs\Microsoft-Windows-MUI%4Operational.evtx.bat C:\Windows\System32\WScript.exe N/A
File created C:\Windows\System32\winevt\Logs\Microsoft-Windows-VHDMP-Operational.evtx.bat C:\Windows\System32\WScript.exe N/A
File created C:\Windows\System32\winevt\Logs\Microsoft-Windows-SmbClient%4Connectivity.evtx.bat C:\Windows\System32\WScript.exe N/A
File created C:\Windows\System32\winevt\Logs\Microsoft-Windows-AppXDeployment%4Operational.evtx.bat C:\Windows\System32\WScript.exe N/A
File created C:\Windows\System32\winevt\Logs\Microsoft-Windows-CloudStore%4Operational.evtx.bat C:\Windows\System32\WScript.exe N/A
File created C:\Windows\System32\winevt\Logs\Microsoft-Windows-HelloForBusiness%4Operational.evtx.bat C:\Windows\System32\WScript.exe N/A
File created C:\Windows\System32\winevt\Logs\Microsoft-Windows-Kernel-EventTracing%4Admin.evtx.bat C:\Windows\System32\WScript.exe N/A
File created C:\Windows\System32\winevt\Logs\Microsoft-Windows-Privacy-Auditing%4Operational.evtx.bat C:\Windows\System32\WScript.exe N/A
File created C:\Windows\System32\winevt\Logs\Microsoft-Windows-Shell-Core%4LogonTasksChannel.evtx.bat C:\Windows\System32\WScript.exe N/A
File created C:\Windows\System32\winevt\Logs\Microsoft-Windows-Shell-Core%4Operational.evtx.bat C:\Windows\System32\WScript.exe N/A
File created C:\Windows\System32\winevt\Logs\Microsoft-Windows-BackgroundTaskInfrastructure%4Operational.evtx.bat C:\Windows\System32\WScript.exe N/A
File created C:\Windows\System32\winevt\Logs\Microsoft-Windows-NCSI%4Operational.evtx.bat C:\Windows\System32\WScript.exe N/A
File created C:\Windows\System32\winevt\Logs\Microsoft-Windows-SMBServer%4Operational.evtx.bat C:\Windows\System32\WScript.exe N/A
File created C:\Windows\System32\winevt\Logs\Microsoft-Windows-TerminalServices-LocalSessionManager%4Operational.evtx.bat C:\Windows\System32\WScript.exe N/A
File created C:\Windows\System32\winevt\Logs\Microsoft-Windows-VDRVROOT%4Operational.evtx.bat C:\Windows\System32\WScript.exe N/A
File created C:\Windows\System32\winevt\Logs\Setup.evtx.bat C:\Windows\System32\WScript.exe N/A
File created C:\Windows\System32\winevt\Logs\Microsoft-Windows-DeviceSetupManager%4Operational.evtx.bat C:\Windows\System32\WScript.exe N/A
File created C:\Windows\System32\winevt\Logs\Microsoft-Windows-User Profile Service%4Operational.evtx.bat C:\Windows\System32\WScript.exe N/A
File created C:\Windows\System32\winevt\Logs\Microsoft-Windows-AppReadiness%4Operational.evtx.bat C:\Windows\System32\WScript.exe N/A
File created C:\Windows\System32\winevt\Logs\Microsoft-Windows-FileHistory-Core%4WHC.evtx.bat C:\Windows\System32\WScript.exe N/A
File created C:\Windows\System32\winevt\Logs\Microsoft-Windows-StorageSpaces-Driver%4Diagnostic.evtx.bat C:\Windows\System32\WScript.exe N/A
File created C:\Windows\System32\winevt\Logs\Microsoft-Windows-Store%4Operational.evtx.bat C:\Windows\System32\WScript.exe N/A
File created C:\Windows\System32\winevt\Logs\Microsoft-Windows-Audio%4Operational.evtx.bat C:\Windows\System32\WScript.exe N/A
File created C:\Windows\System32\winevt\Logs\Microsoft-Windows-Partition%4Diagnostic.evtx.bat C:\Windows\System32\WScript.exe N/A
File created C:\Windows\System32\winevt\Logs\Microsoft-Windows-Provisioning-Diagnostics-Provider%4Admin.evtx.bat C:\Windows\System32\WScript.exe N/A
File created C:\Windows\System32\winevt\Logs\Microsoft-Windows-UserPnp%4ActionCenter.evtx.bat C:\Windows\System32\WScript.exe N/A
File created C:\Windows\System32\winevt\Logs\Microsoft-Windows-AppModel-Runtime%4Admin.evtx.bat C:\Windows\System32\WScript.exe N/A
File created C:\Windows\System32\winevt\Logs\Microsoft-Windows-Bits-Client%4Operational.evtx.bat C:\Windows\System32\WScript.exe N/A
File created C:\Windows\System32\winevt\Logs\Microsoft-Windows-Storsvc%4Diagnostic.evtx.bat C:\Windows\System32\WScript.exe N/A
File created C:\Windows\System32\winevt\Logs\Microsoft-Windows-WMI-Activity%4Operational.evtx.bat C:\Windows\System32\WScript.exe N/A
File created C:\Windows\System32\winevt\Logs\Microsoft-Windows-Diagnostics-Performance%4Operational.evtx.bat C:\Windows\System32\WScript.exe N/A
File created C:\Windows\System32\winevt\Logs\Microsoft-Windows-SMBServer%4Security.evtx.bat C:\Windows\System32\WScript.exe N/A
File created C:\Windows\System32\winevt\Logs\Microsoft-Windows-Storage-Storport%4Health.evtx.bat C:\Windows\System32\WScript.exe N/A
File created C:\Windows\System32\winevt\Logs\Microsoft-Windows-StorageSpaces-ManagementAgent%4WHC.evtx.bat C:\Windows\System32\WScript.exe N/A
File created C:\Windows\System32\winevt\Logs\Microsoft-Windows-Kernel-ShimEngine%4Operational.evtx.bat C:\Windows\System32\WScript.exe N/A
File created C:\Windows\System32\winevt\Logs\Microsoft-Windows-SettingSync%4Debug.evtx.bat C:\Windows\System32\WScript.exe N/A
File created C:\Windows\System32\winevt\Logs\Microsoft-Windows-AppXDeploymentServer%4Restricted.evtx.bat C:\Windows\System32\WScript.exe N/A
File created C:\Windows\System32\winevt\Logs\Microsoft-Windows-Provisioning-Diagnostics-Provider%4ManagementService.evtx.bat C:\Windows\System32\WScript.exe N/A
File created C:\Windows\System32\winevt\Logs\Microsoft-Windows-Kernel-Power%4Thermal-Operational.evtx.bat C:\Windows\System32\WScript.exe N/A
File created C:\Windows\System32\winevt\Logs\Microsoft-Windows-LiveId%4Operational.evtx.bat C:\Windows\System32\WScript.exe N/A
File created C:\Windows\System32\winevt\Logs\Microsoft-Windows-SmbClient%4Security.evtx.bat C:\Windows\System32\WScript.exe N/A
File created C:\Windows\System32\winevt\Logs\Microsoft-Windows-Crypto-DPAPI%4BackUpKeySvc.evtx.bat C:\Windows\System32\WScript.exe N/A
File created C:\Windows\System32\winevt\Logs\Microsoft-Windows-Kernel-PnP%4Configuration.evtx.bat C:\Windows\System32\WScript.exe N/A
File created C:\Windows\System32\winevt\Logs\Microsoft-Windows-SMBServer%4Connectivity.evtx.bat C:\Windows\System32\WScript.exe N/A
File created C:\Windows\System32\winevt\Logs\Microsoft-Windows-WindowsUpdateClient%4Operational.evtx.bat C:\Windows\System32\WScript.exe N/A
File created C:\Windows\System32\winevt\Logs\Microsoft-Windows-User Device Registration%4Admin.evtx.bat C:\Windows\System32\WScript.exe N/A

Modifies file permissions

discovery
Description Indicator Process Target
N/A N/A C:\Windows\system32\takeown.exe N/A
N/A N/A C:\Windows\system32\icacls.exe N/A

Drops file in System32 directory

Description Indicator Process Target
File created C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\HyperV-Networking-Package~31bf3856ad364e35~amd64~es-ES~10.0.19041.1.cat.bat C:\Windows\System32\WScript.exe N/A
File created C:\Windows\System32\en-US\spp.dll.mui.bat C:\Windows\System32\WScript.exe N/A
File created C:\Windows\System32\tr-TR\cdosys.dll.mui.bat C:\Windows\System32\WScript.exe N/A
File created C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Multimedia-MFCore-WCOSMinusHeadless-Package~31bf3856ad364e35~amd64~en-US~10.0.19041.1.cat.bat C:\Windows\System32\WScript.exe N/A
File created C:\Windows\System32\DriverStore\FileRepository\ntprint4.inf_amd64_0958c7cad3cd6075\Amd64\V3HostingFilter.dll.bat C:\Windows\System32\WScript.exe N/A
File created C:\Windows\System32\en-US\reset.exe.mui.bat C:\Windows\System32\WScript.exe N/A
File created C:\Windows\System32\es-ES\WLanHC.dll.mui.bat C:\Windows\System32\WScript.exe N/A
File created C:\Windows\System32\ja-jp\pla.dll.mui.bat C:\Windows\System32\WScript.exe N/A
File created C:\Windows\System32\de-DE\dwminit.dll.mui.bat C:\Windows\System32\WScript.exe N/A
File created C:\Windows\System32\DriverStore\ja-JP\xusb22.inf_loc.bat C:\Windows\System32\WScript.exe N/A
File created C:\Windows\System32\dinput8.dll.bat C:\Windows\System32\WScript.exe N/A
File created C:\Windows\System32\SystemEventsBrokerClient.dll.bat C:\Windows\System32\WScript.exe N/A
File created C:\Windows\System32\en-US\SrpUxNativeSnapIn.dll.mui.bat C:\Windows\System32\WScript.exe N/A
File created C:\Windows\System32\it-IT\EditionUpgradeManagerObj.dll.mui.bat C:\Windows\System32\WScript.exe N/A
File created C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-OfflineFiles-merged-Package~31bf3856ad364e35~amd64~en-US~10.0.19041.1.cat.bat C:\Windows\System32\WScript.exe N/A
File created C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-WMPNetworkSharingService-WOW64-Package~31bf3856ad364e35~amd64~ja-JP~10.0.19041.1.cat.bat C:\Windows\System32\WScript.exe N/A
File created C:\Windows\System32\it-IT\AudioHandlers.dll.mui.bat C:\Windows\System32\WScript.exe N/A
File created C:\Windows\System32\SensorsClassExtension.dll.bat C:\Windows\System32\WScript.exe N/A
File created C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-OneCore-Multimedia-CastingReceiver-Media-Package~31bf3856ad364e35~amd64~fr-FR~10.0.19041.1.cat.bat C:\Windows\System32\WScript.exe N/A
File created C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Containers-Guest-Gated-Package~31bf3856ad364e35~amd64~~10.0.19041.264.cat.bat C:\Windows\System32\WScript.exe N/A
File created C:\Windows\System32\DriverStore\it-IT\c_fscfsmetadataserver.inf_loc.bat C:\Windows\System32\WScript.exe N/A
File created C:\Windows\System32\en-US\GamePanel.exe.mui.bat C:\Windows\System32\WScript.exe N/A
File created C:\Windows\System32\MbaeApi.dll.bat C:\Windows\System32\WScript.exe N/A
File created C:\Windows\System32\DriverStore\en-US\netnwifi.inf_loc.bat C:\Windows\System32\WScript.exe N/A
File created C:\Windows\System32\DriverStore\ja-JP\netirda.inf_loc.bat C:\Windows\System32\WScript.exe N/A
File created C:\Windows\System32\en-US\hlink.dll.mui.bat C:\Windows\System32\WScript.exe N/A
File created C:\Windows\System32\it-IT\mciqtz32.dll.mui.bat C:\Windows\System32\WScript.exe N/A
File created C:\Windows\System32\ja-jp\sdchange.exe.mui.bat C:\Windows\System32\WScript.exe N/A
File created C:\Windows\System32\AppxPackaging.dll.bat C:\Windows\System32\WScript.exe N/A
File created C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\HyperV-UX-Common-Package~31bf3856ad364e35~amd64~fr-FR~10.0.19041.1.cat.bat C:\Windows\System32\WScript.exe N/A
File created C:\Windows\System32\el-GR\comctl32.dll.mui.bat C:\Windows\System32\WScript.exe N/A
File created C:\Windows\System32\uk-UA\msimsg.dll.mui.bat C:\Windows\System32\WScript.exe N/A
File created C:\Windows\System32\wbem\de-DE\NetEventPacketCapture_Uninstall.mfl.bat C:\Windows\System32\WScript.exe N/A
File created C:\Windows\System32\DriverStore\FileRepository\bcmdhd64.inf_amd64_e0bae6831f60ea5f\43341b0rtecdc.bin.bat C:\Windows\System32\WScript.exe N/A
File created C:\Windows\System32\wbem\AutoRecover\F86486D9CF3E1F9110E273C9DAEE8246.mof.bat C:\Windows\System32\WScript.exe N/A
File created C:\Windows\System32\fr-FR\sdrsvc.dll.mui.bat C:\Windows\System32\WScript.exe N/A
File created C:\Windows\System32\MPG4DECD.DLL.bat C:\Windows\System32\WScript.exe N/A
File created C:\Windows\System32\es-ES\qdvd.dll.mui.bat C:\Windows\System32\WScript.exe N/A
File created C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\HyperV-Vpci-VSP-merged-Package~31bf3856ad364e35~amd64~es-ES~10.0.19041.1.cat.bat C:\Windows\System32\WScript.exe N/A
File created C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Lxss-Optional-merged-Package~31bf3856ad364e35~amd64~~10.0.19041.1.cat.bat C:\Windows\System32\WScript.exe N/A
File created C:\Windows\System32\it-IT\EventViewer_EventDetails.xsl.bat C:\Windows\System32\WScript.exe N/A
File created C:\Windows\System32\hgcpl.dll.bat C:\Windows\System32\WScript.exe N/A
File created C:\Windows\System32\de-DE\dwmcore.dll.mui.bat C:\Windows\System32\WScript.exe N/A
File created C:\Windows\System32\es-ES\mscms.dll.mui.bat C:\Windows\System32\WScript.exe N/A
File created C:\Windows\System32\Speech_OneCore\common\fr-FR\VES-SeeItSayIt.040c.grxml.bat C:\Windows\System32\WScript.exe N/A
File created C:\Windows\System32\wbem\AutoRecover\BF7BF74A57B2030A3BB9979E14C311F1.mof.bat C:\Windows\System32\WScript.exe N/A
File created C:\Windows\System32\KBDRU1.DLL.bat C:\Windows\System32\WScript.exe N/A
File created C:\Windows\System32\it-IT\twext.dll.mui.bat C:\Windows\System32\WScript.exe N/A
File created C:\Windows\System32\ja-jp\gpscript.dll.mui.bat C:\Windows\System32\WScript.exe N/A
File created C:\Windows\System32\ja-jp\nslookup.exe.mui.bat C:\Windows\System32\WScript.exe N/A
File created C:\Windows\System32\de-DE\dot3msm.dll.mui.bat C:\Windows\System32\WScript.exe N/A
File created C:\Windows\System32\de-DE\WWanHC.dll.mui.bat C:\Windows\System32\WScript.exe N/A
File created C:\Windows\System32\DriverStore\ja-JP\arcsas.inf_loc.bat C:\Windows\System32\WScript.exe N/A
File created C:\Windows\System32\en-US\cngcredui.dll.mui.bat C:\Windows\System32\WScript.exe N/A
File created C:\Windows\System32\en-US\sendmail.dll.mui.bat C:\Windows\System32\WScript.exe N/A
File created C:\Windows\System32\de-DE\Microsoft.Bluetooth.UserService.dll.mui.bat C:\Windows\System32\WScript.exe N/A
File created C:\Windows\System32\DriverStore\en-US\c_smrdisk.inf_loc.bat C:\Windows\System32\WScript.exe N/A
File created C:\Windows\System32\en-US\aadWamExtension.dll.mui.bat C:\Windows\System32\WScript.exe N/A
File created C:\Windows\System32\fr-FR\compstui.dll.mui.bat C:\Windows\System32\WScript.exe N/A
File created C:\Windows\System32\uk-UA\pcbp.rs.mui.bat C:\Windows\System32\WScript.exe N/A
File created C:\Windows\System32\uk-UA\setupapi.dll.mui.bat C:\Windows\System32\WScript.exe N/A
File created C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\HyperV-Hypervisor-Package~31bf3856ad364e35~amd64~it-IT~10.0.19041.1.cat.bat C:\Windows\System32\WScript.exe N/A
File created C:\Windows\System32\DriverStore\de-DE\usbprint.inf_loc.bat C:\Windows\System32\WScript.exe N/A
File created C:\Windows\System32\fr-FR\wosc.dll.mui.bat C:\Windows\System32\WScript.exe N/A

Enumerates physical storage devices

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeTakeOwnershipPrivilege N/A C:\Windows\system32\takeown.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 3232 wrote to memory of 2280 N/A C:\Windows\System32\WScript.exe C:\Windows\System32\cmd.exe
PID 3232 wrote to memory of 2280 N/A C:\Windows\System32\WScript.exe C:\Windows\System32\cmd.exe
PID 2280 wrote to memory of 4640 N/A C:\Windows\System32\cmd.exe C:\Windows\system32\takeown.exe
PID 2280 wrote to memory of 4640 N/A C:\Windows\System32\cmd.exe C:\Windows\system32\takeown.exe
PID 2280 wrote to memory of 4092 N/A C:\Windows\System32\cmd.exe C:\Windows\system32\icacls.exe
PID 2280 wrote to memory of 4092 N/A C:\Windows\System32\cmd.exe C:\Windows\system32\icacls.exe

Processes

C:\Windows\System32\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\file01.vbs"

C:\Windows\System32\cmd.exe

"C:\Windows\System32\cmd.exe" /c takeown /f C:\Windows\System32\* && icacls C:\Windows\System32\* /grant everyone:(F)

C:\Windows\system32\takeown.exe

takeown /f C:\Windows\System32\*

C:\Windows\system32\icacls.exe

icacls C:\Windows\System32\* /grant everyone:(F)

Network

Country Destination Domain Proto
US 8.8.8.8:53 75.159.190.20.in-addr.arpa udp
US 8.8.8.8:53 172.210.232.199.in-addr.arpa udp
US 8.8.8.8:53 88.156.103.20.in-addr.arpa udp
US 8.8.8.8:53 88.210.23.2.in-addr.arpa udp
US 8.8.8.8:53 11.227.111.52.in-addr.arpa udp

Files

C:\Users\Admin\AppData\Local\Temp\whysoserious.bat

MD5 3dfc9ee09967df4e049864cf81d9588b
SHA1 bd5840c3cec86b04f8e8dbc0ddf5eb1754d346ce
SHA256 81544f6c725f842b68f7bcbeb26525f701293d3d2281dd64dcad1e9d2dfc398d
SHA512 d55ed377a577bd9ecc3af2753716f8e145da79207e3435bccdbd377ffdeda6ac691f93ebcf3158c1450aaca429dda8f91bc6e4d2e608cec562dd7fe9cfb76708